Test Center ThreatWatch: Sept. 17

Attack Watch: Sept. 17

From what we see, it's clear that continual review of passwords and password policies still remain top items on network best-practices lists.

The most persistent hits on the network here were attemps to break in to the master database of the network's SQL Server. The login attempts were made using the default SQL admin account "sa." There were two different originating IP addresses logged in these attempts. The first was an address that traces back to Beijing, China. The intrusion attempts from that location were made four times, and seemed to be attempts at hacking into the sa account by banking on a weak password.

The hacking attempt took shots at the database by using passwords like "password," "12345," and "abc123."

The second IP address logged as the source of a SQL hacking attempt traced back to cable giant Time-Warner in the Charlotte, North Carolina area. These attacks took place every second for a full minute -- what appears to have been a hit from a random password generator. The first couple of attempts ran through a number of "a" words: "apple, adam, alpine..." And then, according to our logs, the hacker began guessing passwords beginning with the letter "b," such as "bike," "baldeagle," "batcave" and even "billybob."

An intruder attempted to use a Symantec antivirus exploit -- a flaw discovered in 2006 which took advantage of Symantec's Auto Update capability to exploit a machine. Symantec has had this issue long-since patched, but the intruder apparently was checking to see if the patch was applied on the test network. The IP address traced back to Beijing, China.

Other activity: a sniff attempt from an IP address in Athens, Greece. Activity picked up by simulated telnet service, from Belgium as well as activity from Moscow. There were also the usual relay mail attempts -- this time from Taipei, Taiwan. Also, the trap network picked up an attempted SQL server UDP worm attack form an IP address which traces back to Tokyo.

Spam Watch: Sept. 14 through Sept. 16 More medium-level spam messages are getting quarantined or slipping into the Inbox as filters struggle to differentiate legitimate URLs from spam sites. Many messages directed users to a Google Blogger site that turned out to really be a phish, spam, or malware site. Mail activity was lower yesterday than on Monday.

Yesterday's mail breakdown also shifted slightly from the seven-day patterns, with spam taking a bigger slice. Blocked connections dropped down from Monday's peak, to 85.7 percent and spam volumes (not including viruses) increased to 13.7 percent.